BENJAMIN H. SETTLE, District Judge.
This matter comes before the Court on Defendant Santander Consumer USA, Inc.'s ("Santander") motion to dismiss. Dkt. 19. The Court has considered the pleadings filed in support of and in opposition to the motion and the remainder of the file and hereby grants the motion in part and denies it in part for the reasons stated herein.
The factual allegations in Plaintiff Suzanne Buckley's ("Buckley") amended complaint are accepted as true for the purpose of ruling on the pending motion.
On some unspecified date prior to February 15, 2017, Buckley incurred a debt related to the financing of a purchased vehicle. Dkt. 15 at 2. The debt was financed through Santander. Id. Buckley's sales agreement with the vehicle dealership stated: "You agree to pay the Creditor — Seller . . . the Amount Financed and Finance Charge in U.S. funds according to the payment schedule below . . . ." Dkt. 19-1 at 2. Sometime later, but still before February 15, 2017, Buckley defaulted on her debt. Dkt. 15 at 2.
On some subsequent date, still before February 15, 2017, Buckley alleges two alternative theories whereby her personal information was transferred from Santander's possession so that it eventually fell into the hands of Apex National Services ("Apex"), a purported debt collection company. Id. Buckley first alleges that the information was stolen from Santander. Id. Under this theory, Buckley alleges that Santander "recklessly failed to maintain secure servers to impede any unauthorized access to sensitive consumer information" and "fail[ed] to notify [Buckley] that [her] personal identifying information had been disclosed to unauthorized third parties." Id. at 8-9. Alternatively, Buckley alleges that Santander "assigned, placed, or otherwise transferred the alleged debt to an unauthorized third party." Id. at 2. The information that Buckley alleges was improperly transferred to or obtained by a third party included Buckley's name, social security number, driver's license, address, file number, and vehicle identification number for the subject vehicle of Buckley's debt. Id.
On an unspecified date, prior to February 15, 2017, Apex contacted Buckley in an attempt to collect the alleged debt. Id. at 3. Buckley began negotiations with Apex and their agent, Universal Payment Processing ("Universal"), and eventually entered into an agreement to settle the entire alleged debt for $5,000. Id. On February 15, 2017, Buckley made the agreed-upon payment of $5,000 to Universal. Id. The same date, Universal sent Buckley a letter informing her that the alleged debt was satisfied in full. Id.
On May 16, 2017, Crown Asset Management LLC ("Crown"), a debt collection company, filed a lawsuit against Buckley to collect the same debt for which she had negotiated and issued a payment to Apex and Universal. Id. Through the course of the litigation, Buckley discovered that unfortunately, Apex "is an unauthorized or `ghost' debt collector who does not legally collect from consumers and is not licensed in the state of Washington as a debt collector. Id. at 4. Instead, Buckley, had been "tricked into paying a scam debt collector. . . ." Id.
On October 11, 2017, Buckley filed her class action complaint. Dkt. 1. On January 4, 2018, Buckley filed an amended class action complaint ("complaint"). Dkt. 15. In the complaint, Buckley asserts five claims against Santander: (1) violations of the Washington Consumer Protection Act ("CPA"); (2) negligence, (3) intrusion upon seclusion through disclosure of private information; (4) breach of contract; and (5) a violation of the Washington Data Breach Act ("DBA"). Id. at 7-11.
On January 18, 2018, Santander moved to dismiss Buckley's complaint. Dkt. 19. On February 5, 2018, Buckley responded. Dkt. 21. On February 9, 2018, Santander replied. Dkt. 22.
Motions to dismiss brought under Rule 12(b)(6) of the Federal Rules of Civil Procedure may be based on either the lack of a cognizable legal theory or the absence of sufficient facts alleged under such a theory. Balistreri v. Pacifica Police Department, 901 F.2d 696, 699 (9th Cir. 1990). Material allegations are taken as admitted and the complaint is construed in the plaintiff's favor. Keniston v. Roberts, 717 F.2d 1295, 1301 (9th Cir. 1983). To survive a motion to dismiss, the complaint does not require detailed factual allegations but must provide the grounds for entitlement to relief and not merely a "formulaic recitation" of the elements of a cause of action. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). Buckley must allege "enough facts to state a claim to relief that is plausible on its face." Id. at 570.
Santander has argued that Buckley's claims are inadequately pled because she can only speculate as to alternative theories. See Dkt. 19 at 9-10. The Court summarily rejects this argument. Pleading in the alternative is plainly not the type of formulaic "speculative" pleading prohibited by Twombly, 550 U.S. at 555. Rule 8 authorizes the pleading of inconsistent alternative theories. Fed. R. Civ. P. 8(d)(2). To the extent that Santander argues that Buckley has pled inconsistent facts, it is clear that the factual theories asserted by Buckley, while mutually exclusive, are not inconsistent with the overarching theory that Santander provided Apex access to Buckley's sensitive personal information. Moreover, these mutually exclusive factual theories are not asserted for a single unitary claim, but rather separate alternative claims, and "plaintiffs may state as many separate claims as they have regardless of consistency." In re Livent, Inc. Noteholders Sec. Litig., 151 F.Supp.2d 371, 406 (S.D.N.Y. 2001) (citing Fed. R. Civ. P. 8(e)).
Santander moves to dismiss Buckley's claims for violations of the CPA. Under the CPA, a person may bring a civil action against a business to recover damages stemming from any "[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce." RCW 19.86.020. "To establish a claim under the CPA, five elements must be established: `(1) unfair or deceptive act or practice; (2) occurring in trade or commerce; (3) public interest impact; (4) injury to plaintiff in his or her business or property; (5) causation.'" Svendsen v. Stock, 143 Wn.2d 546, 553 (2001) (quoting Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wn.2d 778, 780 (1986)).
Buckley has pled two alternative claims under the CPA. Under the first theory, Buckley claims that Santander violated the CPA by assigning her debt or otherwise disclosing her personal information to an "unauthorized third party." Alternatively, Buckley argues that Santander violated the CPA by maintaining Buckley's information on an inadequately secured server and failing to notify her when the data was stolen. The Court will address the motion to dismiss as it pertains to each theory.
Santander moves to dismiss Buckley's CPA claim under wrongful disclosure theory on the basis that the complaint's cursory allegations of a wrongful disclosure to an "unauthorized third party" is too vague to adequately plead an unfair or deceptive act or practice. There are three ways that a plaintiff may plead a deceptive or unfair act or practice. State v. Mandatory Poster Agency, Inc., 199 Wn.App. 506, 518 (2017), review denied, 189 Wn.2d 1021 (2017). One is to plead a per se violation that has been expressly prohibited by a relevant statute, id., but Buckley has not alleged that the allegedly wrongful disclosure of her personal information constitutes a per se CPA violation. The other two methods are to describe either an act or practice that has the capacity to deceive a substantial portion of the public, or a practice that is in violation of the public interest. Id.
The Court rejects Santander's argument that all of Buckley's CPA claims must be dismissed for the complaint's lack of "factual allegations relating to what [Santander]'s `deceptive act' was, when it may have occurred, or who it involved." Dkt. 19 at 9. Santander is correct that Buckley does not allege that Santander has engaged in any misleading practices or made any misrepresentations. "Implicit in the definition of `deceptive' under the CPA is the understanding that the practice misleads or misrepresents something of material importance." Holiday Resort Cmty. Ass'n v. Echo Lake Associates, LLC, 134 Wn.App. 210, 226 (2006), as amended on denial of reconsideration (Aug. 15, 2006). Accordingly, Buckley's claim cannot be premised on a "deceptive" act or practice, because no such misrepresentation has been alleged. Even so, "an act or practice can be unfair without being deceptive. . . . The `or' between `unfair' and `deceptive' is disjunctive." Klem v. Washington Mut. Bank, 176 Wn.2d 771, 787 (2013).
Mellon v. Reg'l Tr. Servs. Corp., 182 Wn.App. 476, 489-90 (2014).
By alleging that Santander deliberately disclosed her information to an unauthorized third party, Buckley has outlined a theory that Santander intentionally exposed her to an unacceptable likelihood of being subject to identity theft or some other unlawful activity premised on the exploitation of her personal information. Buckley has further alleged that she was ultimately subject to such a fraudulent scheme premised on the misuse of her personal information regarding her debt with Santander and that she suffered $5,000 in economic damages as a result. The intentional disclosure of a consumer's social security number, driver's license, address, and other personal information to third parties not authorized to possess such information could in many circumstances be unethical, oppressive, and unscrupulous. Further, such a practice would be likely to inflict the harm of making consumers the target of identity theft or other deceptive schemes, such as the fraudulent debt collection scheme perpetrated upon Buckley by Apex.
Buckley's complaint is admittedly sparse on facts describing the details of the allegedly unlawful transfer of Buckley's information. However, it may be overlooked that Buckley has failed to allege much factual background information regarding the alleged transfer of information beyond the fact that it occurred prior to February 15, 2017. The Federal Rules "do not require heightened fact pleading of specifics, but only enough facts to state a claim to relief that is plausible on its face." Twombly, 550 U.S. at 570. Buckley has adequately identified what personal information is in Santander's possession and has offered an approximate time frame for when the allegedly wrongful disclosure occurred. Furthermore, as Buckley has noted in her response, this is a case where there are multiple possible theories as to how a defendant inflicted a particular injury, "however the details of how and why the wrong occurred are in the possession and control of [the] [d]efendant." Dkt. 21 at 5.
There remains a substantial question of whether Santander's alleged disclosure of Buckley's personal information to an unauthorized third party can bear a sufficient causal link to Buckley's harm of being tricked by Apex's fraudulent scheme. However, Santander has not moved for dismissal on this ground, and such an issue is likely best reserved for summary judgment proceedings since any detailed information regarding the alleged transfer is presently in the sole possession of Santander or the third party to which Santander allegedly made the disclosure of Buckley's information.
Santander also moves to dismiss Buckley's CPA claim under her stolen data theory on the basis that the DBA preempts CPA claims for failure to inform consumers of data breaches. Indeed, while the DBA authorizes the state attorney general to pursue CPA claims against businesses that fail to notify consumers of data breaches, the DBA expressly preludes CPA civil actions by persons or entities other than the attorney general. RCW 19.255.010(17) ("An action to enforce this section may not be brought under RCW 19.86.090."). In her response, Buckley notes that she is not basing any CPA claim on a violation of the DBA. Dkt. 21 at 12. Accordingly, to the extent Buckley's complaint can be construed to claim that Santander violated the CPA by failing to inform its consumers of a data breach, such allegations fail to state a CPA claim upon which relief can be granted.
However, the DBA only preempts claims pertaining to the failure to notify consumers of a data breach. The DBA does not deal with an entity's failure to maintain sensitive personal information on an adequately secured server. Accordingly, the Court must separately assess whether such a failure constitutes a violation of the CPA. In a recent decision, the Honorable James L. Robart, U.S. District Judge, determined that a credit union adequately plead a valid CPA claim premised on the theory "that Eddie Bauer failed to take proper measures to protect account information of credit and debit card holders with respect to its POS and data security systems." Veridian Credit Union v. Eddie Bauer, LLC, C17-0356JLR, 2017 WL 5194975, at *13 (W.D. Wash. Nov. 9, 2017). Judge Robart reasoned that inadequately securing such sensitive consumer information constituted an "unfair practice" because (1) it could foreseeably result in harm to thousands of consumers and payment card issuers, (2) the plaintiff had adequately alleged that such harm had actually occurred, and (3) with no ability to know of Eddie Bauer's allegedly deficient security measures, the consumers had little to no ability to avoid the harms engendered by such deficient security. See id., 2017 WL 5194975 at *13-14.
The Court agrees with the analysis set forth in Veridian and finds that it is equally applicable here. Santander received sensitive personal information that could result in significant financial harm to Buckley if mishandled. Santander's alleged "failure to take reasonably adequate security measures constitutes an unfair act because it knowingly and foreseeably put [Buckley] at a risk of harm from data theft and fraudulent . . . activity and this harm allegedly occurred." Id., 2017 WL 5194975 at *14. Accordingly, the Court denies Santander's motion to dismiss Buckley's CPA claims based on unfair practices. To the extent the complaint asserts conclusory claims of "deceptive" acts or practices without factual allegations of misrepresentations or omissions, those claims are dismissed.
Santander next moves to dismiss Buckley's negligence claims on the basis that Buckley has failed to allege facts supporting the existence of any legal duty to keep her information private.
Under Washington law, negligence requires "(1) the existence of a duty to the plaintiff, (2) a breach of that duty, (3) a resulting injury, and (4) the breach as the proximate cause of the injury." Degel v. Majestic Mobile Manor, 129 Wn.2d 43, 48 (1996). "[A]n actor ordinarily owes no duty to protect an injured party from harm caused by the criminal acts of third parties," Parrilla v. King Cty., 138 Wn.App. 427, 436 (2007), but there are exceptions to this general rule. For instance, a duty to prevent a third party's wrongdoing may arise "based on the existence of a `special relationship' between either the actor and the victim, or between the actor and the criminal third party." Id. at 437. Such a special relationship has been recognized to arise between a business and its customers as follows:
Nivens v. 7-11 Hoagy's Corner, 133 Wn.2d 192, 205 (1997), as amended (Oct. 1, 1997).
Also, Washington courts have held that "a duty to guard against a third party's foreseeable criminal conduct exists where an actor's own affirmative act has created or exposed another to a recognizable high degree of risk of harm through such misconduct, which a reasonable person would have taken into account." Parrilla, 138 Wn. App. at 439. Under such a theory, it is necessary that the defendant have engaged in some "misfeasance," which "necessarily entails the creation of a new risk of harm to the plaintiff." Robb v. City of Seattle, 176 Wn.2d 427, 437 (2013). An example of this duty has arisen "when [a] bus driver affirmatively created a new risk by disembarking from a bus, leaving keys in the ignition with the engine running and an erratic passenger onboard, providing the instrumentality and opportunity to cause harm." Id. (citing Parrilla, 138 Wn.App. 427).
As discussed above, Buckley has alleged two alternative factual theories of this case. Under the first, Santander intentionally disclosed Buckley's personal information to an unauthorized third party. This constitutes an affirmative act, or "misfeasance." It is foreseeable that providing a customer's private information, including a social security number, driver's license, address, and other debt information, creates a new risk of harm to the customer, particularly of identity theft or other fraudulent schemes based on the exploitation of such data. Buckley's alleged harm of suffering from such a scheme is a directly foreseeable result of transmitting such information to an unauthorized third party. Accordingly, the Court finds that Buckley's theory that Santander deliberately transmitted her personal information to an unauthorized third party adequately alleges a duty to protect Buckley from the wrongful acts of Apex where Santander's "own affirmative act has created or exposed [her] to a recognizable high degree of risk of harm through such misconduct, which a reasonable person would have taken into account." Parrilla, 138 Wn. App. at 439.
Under the second theory, Santander allegedly maintained Buckley's private information with inadequate security and failed to inform her when it was stolen. The Court declines to find that allegations of Santander's failure to maintain adequate security implicate a common law legal duty that could support a negligence claim. The crux of whether a business can be liable for the acts of third parties absent a special relationship "is the distinction between an act and an omission." Robb, 176 Wn.2d at 435. In contrast with Buckley's first theory, Buckley's second theory does not allege that Santander took any affirmative act that placed Buckley's information in the hands of an unauthorized third party. In regards to the special relationship doctrine, the special relationship addressed in Nivens arose in the context of a business's "invitee," and review of that decision reveals that the Supreme Court's decision was specifically an extension of a business's liability for physical harm under a premises liability theory. Nivens, 133 Wn.2d at 203 (quoting Restatement (Second) of Torts § 344 (1965)). Buckley was not a business invitee of Santander, and she does not allege any physical harm under a theory of premises liability. Nor is it appropriate for the Court to rely on the reasoning in Merriman v. Am. Guarantee & Liab. Ins. Co., 198 Wn.App. 594 (2017), review denied (Sept. 28, 2017), as suggested by Buckley. See Dkt. 21 at 15. In Merriman it was determined that an insurance adjuster could be liable for a claim adjustment that fell below a well-established professional standard of care. Id. at 616 (citing First State Insurance Co. v. Kemper National Insurance Co., 94 Wn.App. 602, 612-13 (1999)) ("A claim for negligent claim handling exists in Washington."). No such well-established standard of professional liability has been breached here, and Washington courts have not recognized a "special relationship" between consumers and data custodians as they have between insurers and their insureds.
In any instance, the Court would be reticent to formulate any common-law "special relationship" not previously recognized or explicitly formulated by Washington case law or statute. The Second Restatement of Torts notes that "[t]he law appears . . . to be working slowly toward a recognition of the duty to aid or protect in any relation of dependence or of mutual dependence." Restatement (Second) of Torts § 314A cmt. b (1965). In our digital age, it could be argued that Buckley's allegations should implicate a previously unrecognized common law duty to maintain adequate security as to prevent data breaches that compromise sensitive personal information due to the parties' relationship. Indeed, once Buckley's information was submitted to finance her vehicle purchase, a custodial type of relationship was formed over Buckley's personal information that deprived Buckley of any meaningful opportunity to prevent the information from being obtained by wrongful actors like Apex. However, such a theory of the "special relationship" doctrine moves into uncharted waters that other courts have only recently begun to navigate under different state law tests. See Corona v. Sony Pictures Entm't, Inc., 14-CV-09600 RGK EX, 2015 WL 3916744, at *5 (C.D. Cal. June 15, 2015) (finding special relationship exists between employer and employees under California's six-factor "special relationship" test). Absent clear Washington authority, the Court declines to extend Washington's "special relationship" doctrine to include relationships between businesses and consumers when the parties' transaction involves the disclosure of private information.
Nonetheless, while the failure to implement adequate data security measures does not implicate a legal duty on its own, Buckley's second theory also alleges that Santander failed to notify Buckley after learning that her information had been stolen in a data breach. In Washington, "[a] duty may be predicated on violation of statute or of common law principles of negligence." Jackson v. City of Seattle, 158 Wn.App. 647, 651 (2010) (quotation marks omitted). While the Court declines to find that a "special relationship" existed between Buckley and Santander for the purpose of imposing liability for thirdparty acts, the DBA specifically imposes an obligation on businesses to notify their consumers of data breaches that compromise the type information that was allegedly stolen in this case. RCW 19.255.010(1), (5)(a)(b). In determining whether a statutory provision indicates a duty that can sustain a negligence claim, Washington courts have adopted the test set forth in the Second Restatement of Torts, which states:
Hansen v. Friend, 118 Wn.2d 476, 480-81 (1992) (quoting Restatement (Second) of Torts § 286 (1965)).
The Court finds that this four-factor test is satisfied in regards to Santander's alleged violation of the DBA. The Washington legislature's comments on the DBA expressly state that the DBA was "intend[ed] to provide consumers whose personal information has been jeopardized due to a data breach with the information needed to secure financial accounts and make the necessary reports in a timely manner to minimize harm from identity theft." Laws of 2015, Ch. 64, § 1. As a consumer whose personal information had been jeopardized, Buckley falls within the class the DBA was enacted to protect. The DBA was enacted to protect the interest of such consumers in maintaining privacy and security in their sensitive personal information, which is the same interest that Buckley's allegations make clear was invaded. Finally, the DBA was intended to protect Buckley's interest in securely maintaining private information against the kind of financial harm Buckley suffered which was brought about by a form of identity theft.
Accordingly, the Court concludes that Buckley's complaint implicates legal duties that can support a negligence claim under either of her two theories. First, a legal duty is implicated by Santander's alleged misfeasance of disclosing Buckley's sensitive personal information to an unauthorized third party. Alternatively, a legal duty is implicated by Santander's alleged failure to carry out its duty under the DBA and notify Buckley that her sensitive personal information had been compromised in a known data breach.
Santander moves to dismiss Buckley's claim for intrusion upon seclusion. Washington common law recognizes a "protectable interest in privacy [that] is generally held to involve four distinct types of invasion: intrusion, disclosure, false light and appropriation." Eastwood v. Cascade Broad. Co., 106 Wn.2d 466, 469 (1986). Santander has moved to dismiss Buckley's privacy claims under either an intrusion or disclosure theory, but Buckley has expressly limited his claim to an intrusion theory. Dkt. 21 at 17 ("[Santander] makes an argument relating to the tort of public disclosure of private facts, however, [Buckley] has not pled this claim and thus, there is no need to address the argument.
Under an intrusion theory, "[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person." Mark v. Seattle Times, 96 Wn.2d 473, 497 (1981) (quoting Restatement (Second) of Torts § 652B (1977)). Washington courts have defined such a claim to require that a plaintiff establish the following elements:
Doe v. Gonzaga Univ., 143 Wn.2d 687, 705-06 (2001), reversed on other grounds, 536 U.S. 273 (2002).
Buckley has not alleged facts to suggest that Santander ever intentionally intruded upon her private affairs. "[A]n actor commits an intentional intrusion only if he believes, or is substantially certain, that he lacks the necessary legal or personal permission to commit the intrusive act." Poore-Rando v. United States, C16-5094 BHS, 2017 WL 5756871, at *2 (W.D. Wash. Nov. 28, 2017) (quoting O'Donnell v. United States, 891 F.2d 1079, 1083 (3d Cir. 1989)). Because Santander allegedly financed Buckley's vehicle purchase, Santander possessed the necessary legal permission to acquire Buckley's personal information. To the extent that Buckley complains that Santander deliberately passed this information along to an unauthorized third party, that is not a claim for intrusion but rather disclosure. Even if Buckley were to bring a claim for wrongful disclosure of private facts, the Court agrees that Buckley's pleadings lack the necessary allegations to support the necessary publicity element of such a claim. See Fisher v. State ex rel. Dep't of Health, 125 Wn.App. 869, 879 (2005) ("[P]ublicity for the purposes of [this claim] means communication to the public at large so that the matter is substantially certain to become public knowledge, and that communication to a single person or a small group does not qualify.").
Because Buckley has failed to allege a deliberate intrusion by Santander upon her private affairs, Buckley's intrusion upon seclusion claim must be dismissed.
Santander moves to dismiss Buckley's breach of contract claim on the basis that Buckley's complaint fails to allege facts that show the breach of any contract provisions. Santander has attached Buckley's sales agreement with the vehicle dealership as an exhibit to its motion. Dkt. 19-1.
Buckley's complaint has alleged the breach of two contract provisions. First, Buckley alleges that Santander breached an agreement to "not disclose any private information to unauthorized third parties." Dkt. 15 at 10. No such provision exists in the sales agreement. See Dkt. 19-1. Additionally, Buckley has abandoned this claim in her response, instead arguing only that Santander "breached the contract by forcing [her] . . . to pay the [sic] on the debt twice." Dkt. 21 at 18. Because Buckley has failed to specify any agreement that Santander would not disclose her information to third parties and has likewise failed to indicate how this may have formed an implied covenant of her sales agreement, the Court dismisses Buckley's breach of contract claim predicated on the disclosure of private information to third parties.
Buckley's short response to the motion to dismiss argues only that Santander allegedly "breached the contract by forcing [Buckley] . . . to pay the [sic] on the debt twice." Dkt. 21 at 18. Buckley identifies the following statement as the provision that was breached. "You agree to pay the Creditor — Seller . . . the Amount Financed and Finance Charge in U.S. funds according to the payment schedule below . . . ." Id. (quoting Dkt. 19-1 at 2). Buckley argues that "what [the contract] noticeably does not say, is that [Buckley] will pay the Creditor — Seller more than what is specified in the contract." Dkt. 21 at 18 (emphasis in original). But this argument is disingenuous and ignores key language of the purportedly breached provision. The provision states on its face that Buckley must pay the amount owed to the Seller or Creditor, and Buckley has not alleged that she ever did so. Instead, Buckley has stated that she defaulted on her loan and then allegedly paid her late due payments to Apex, which she identifies as a third party that was never authorized to collect the amount owed on behalf of Santander. Santander cannot have breached the contract by requiring Buckley to pay twice on her debt when the debt was never paid to Santander or an authorized collector in the first instance. Therefore, Buckley's breach of contract claim must be dismissed.
Finally, Santander moves to dismiss Buckley's DBA claim on the basis that Buckley has not adequately pled that Santander ever discovered any data breach. Liability under the DBA arises only when a business that owns such personal information fails to "disclose any breach of the security of the system following discovery or notification of the breach . . . ." RCW 19.255.010 (emphasis added). However, Buckley has alleged that Santander (1) was aware that Buckley's information was stolen prior to February 15, 2017, Dkt. 15 at 2, (2) "was aware that [Buckley]'s personal identifying information was in possession of an illegal third party," id. at 4, and (3) never contacted Buckley to notify her that her information had been compromised, id. at 11. Furthermore, Buckley has supported these claims with factual allegations that Apex obtained her private information connected with the debt owed to Santander and then perpetrated a fraud on her, resulting in $5,000 in damages. Santander offers no authority to support its position that Buckley must plead sufficient facts to rule out the possibility that Apex obtained her private information through some other means. The question of whether Santander actually suffered a data breach prior to February 15, 2017, is an issue more appropriately reserved for summary judgment.
Buckley has requested that the Court grant her leave to amend any claims that are inadequately pled. Dkt. 21 at 19. Leave to amend an initial pleading may be allowed by leave of the Court and "shall freely be given when justice so requires." Foman v. Davis, 371 U.S. 178, 182 (1962); Fed. R. Civ. P. 15(a). Granting leave to amend rests in the discretion of the trial court. Internat'l Ass'n of Machinists & Aerospace Workers v. Republic Airlines, 761 F.2d 1386, 1390 (9th Cir. 1985). In determining whether amendment is appropriate, the Court considers five potential factors: (1) bad faith, (2) undue delay, (3) prejudice to the opposing party, (4) futility of amendment, and (5) whether there has been previous amendment. United States v. Corinthian Colleges, 655 F.3d 984, 995 (9th Cir. 2011). The Court's decision is guided by the established practice of permitting amendments with "extreme liberality" in order to further the policy of reaching merit-based decisions. DCD Programs Ltd. v. Leighton, 833 F.2d 183, 186 (9th Cir. 1987). In light of this policy, the nonmoving party generally bears the burden of showing why leave to amend should be denied. Genentech, Inc. v. Abbott Labs., 127 F.R.D. 529, 530-31 (N.D. Cal. 1989). Here, Santander has not offered any reason why leave to amend should be denied. Accordingly, Buckley's request for leave to amend is granted.
Therefore, it is hereby
1. Buckley's CPA claim premised on Santander's failure to notify her of the alleged data breach is
2. Buckley's negligence claim premised on Santander's failure to maintain adequate security measures is
3. Buckley's intrusion upon seclusion claim is
4. Buckley's breach of contract claims are
5. To the extent Santander seeks to dismiss Buckley's remaining claims for negligence and violations of the CPA and DBA, its motion is
Additionally, Buckley's request for leave to amend is